On  27 February 2013, Article 29 Data Protection Working Party issued the  “Opinion 02/2013 on apps on smart devices”.

In this opinion, the Working Party pointed out that the fragmented nature of the app ecosystem, the wide range of technical access possibilities to data stored in or generated by mobile devices and the lack of legal awareness amongst developers create a number of serious data protection risks for app users. These risks range from a lack of transparency and lack of awareness amongst app users to poor security measures, invalid consent mechanisms, a trend toward data maximization and elasticity of data processing purposes

Hence, the Working Party clarified the legal framework applicable to the processing of personal data in the development, distribution and usage of apps on smart devices with focus on the consent requirement, the principles of purpose to correctly inform users, their rights, reasonable retention periods and specifically fair process of data collected from and about children.

The Working Group highlighted thatin order to process personal data, a legal basis is required as enumerated in Article 7 of the Data Protection Directive, which Data Protection Directive. Article 7 distinguishes six legal grounds for data processing: the data subject’s unambiguously given consent; the necessity for the performance of a contract with the data subject; to protect the vital interests of the data subject, the necessity for compliance with a legal obligation; (for public authorities) to perform a task carried out in the public interest and the necessity for legitimate (business) interests. With regard to the storing of information, or the gaining of access to information already stored in the smart device, the Working Group mentioned  article 5(3)of the ePrivacy Directive (i.e. the consent requirement for placing and retrieving information from a device), which creates a more detailed limitation/restriction of the legal grounds that may be taken into account.

The Working Group concluded its opinion pointing out that the rules, mentioned above, apply to any app targeted to app users within the EU, regardless of the location of the app developer or app store, and issuing many recommendations addressed to app developers, app stores, OS and Device manufactures, and Third Parties.

In this regard, the Working Group required specifically thatapp developers must be aware of, and comply with, their obligations as data controllers when they process data from and about users; and be aware of, and comply with, their obligations as data controllers when they contract with data processors such as if they outsource the collection and processing of personal data to developers, programmers and for example cloud storage providers.

Source: Garante per la protezione dei dati personali